While not your sitituition exactally I wrote an article detailing how to use a firewall with KVM and OpenVZ machines.
http://www.montanalinux.org/proxmox-ve-with-shorewall-part2.html If you ignore the OpenVZ parts the way to use shorewall with KVM is there. Hope that helps some. _ /-\ ndrew On Tue, Mar 2, 2010 at 3:52 AM, Bike & Snow <[email protected]> wrote: > Hello > > I have recently started using Shorewall to manage my firewall. I'm > very impressed so far. > > Yesterday I installed it on 2 machines which run KVM (kernel virtual > machine) virtualization. > > When a virtual machine starts, a virtual network interface(s) is > created for the VM - vnetX. These in turn are connected to a bridge > which uses a physical interface (eth1). > > What I need to do: > a) Filter traffic on the management interface - eth0. > b) Allow all traffic on the bridge - br0 - which in turn uses physical > interface eth1. Each VM will handle traffic by running their own > firewall. > > I'm using Shorewall 4.2.10. > > I spent ages using the "bport" option but I was getting nowhere. I > could not get the traffic inside the VMs to route. > So I changed the bridge interface to the same as eth0 - ipv4 - and it > now works OK. > > Here is my setup: > > Zones > fw firewall > lan ipv4 > kvm ipv4 > > Interfaces > lan eth0 detect dhcp > kvm br0 detect dhcp,bridge,routeback > > Policy > fw all ACCEPT > lan fw REJECT > kvm fw ACCEPT > all all DROP > > Rules > ACCEPT lan fw icmp > ACCEPT lan fw tcp ssh,https > > > where "lan" is the local area network and "kvm" is the zone for the > bridge which handles the VMs and their virtual network interfaces. > As you can see, for the management interface I'm allowing icmp traffic > for ping and SSH and HTTPS. > > I must stress that this machine is not connected directly to the > internet but lives inside a secure LAN. > So why bother running a firewall? Well this is a test for a machine > that will be hosted in a data centre and will be connected directly to > the internet. > > Now it's working but have I simply taken the easy route here when > setting this up? > Or should I try to get the kvm zone working as "bport"? > > Has anyone else setup a machine running a bridge for virtual machines? > > I've searched the documentation and this mailing list, but > documentation is inconsistent for this setup. > > Thank you > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
